Solved: Re: how to remove characters from strings

hqw · ‎07-21-2016

Hi all,

I have some value under geologic_city fields as below, but it has some problems. For example, actually Anshan and Anshan Shi is the same city, and i have multiple cities have this issue. I want to remove all "Shi" if the string has. Can anyone help me on this?

Thanks

javiergn · ‎07-21-2016

Try this:

| eval geoloc_city = trim(replace(geoloc_city, "Shi", ""))

Careful as it is case sensitive

EDIT. You can have a more granular control (including case insensitive mode) by using rex:

| rex field=geoloc_city "(?i)^(?<geoloc_city>.+?)(\sShi)?$"

View solution in original post

javiergn · ‎07-21-2016

Try this:

| eval geoloc_city = trim(replace(geoloc_city, "Shi", ""))

Careful as it is case sensitive

EDIT. You can have a more granular control (including case insensitive mode) by using rex:

| rex field=geoloc_city "(?i)^(?<geoloc_city>.+?)(\sShi)?$"

hqw · ‎07-21-2016

Thanks a lot javiergn, it works!

how to remove characters from strings

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Are you a member of the Splunk Community?

how to remove characters from strings

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management